Apparently, there have been multiple reports of baby monitors being hacked and of cyber attacks on toy software that has led to sensitive data – including photos of children – being stolen. A Hong Kong toymaker, VTech is one recent example of this, while Hello Barbie herself has been at the centre of controversy over whether or not she can also be hacked (ToyTalk and Mattel say not).
Hello Barbie is the world’s first Wi-Fi-enabled Barbie doll. It uses voice recognition software and artificial intelligence to bring her to life. Just as we are connecting everyday objects, such as cameras, heating systems and fridge freezers to the internet, we are also connecting dolls, toys and other items that are accessed by children.
So when it comes to the Internet of Things (IoT), what are the potential risks for child protection, and what needs to be put in place to mitigate against these?
According to the Federal Trade Commission (FTC) in America, the IoT presents a variety of potential security risks that could be exploited to harm consumers, including children. These include enabling unauthorised access and misuse of personal information (such as photos of children or recordings of conversations); facilitating attacks on other systems (by being able to access banking details, passwords etc.); and creating risks to personal safety (in extreme cases, grooming). In a more general sense,research (pdf) by the UK Council for Child Internet Safety has found that 12% of children have experienced data misuse such as identity theft or somebody using their personal information in a way they didn’t like.
Currently there is no specific legislation in place for the Internet of Things. The concept is so new and the technology changes so rapidly that the law has thus far found it impossible to keep up. That situation is unlikely to change any time soon.
There is only one example of case law and that relates to an American case involving TRENDnet, which provides internet-connected cameras for purposes ranging from home security to baby monitoring. Despite claiming its products were secure, the FTC found that hackers were able to access live feeds from consumers’ security cameras and conduct “unauthorised surveillance of infants sleeping in their cribs, young children playing and adults engaging in typical daily activities.” Under the terms of the settlement agreed with the FTC, TrendNet cannot misrepresent its software as “secure” and must get an independent assessment of its security programs once a year for 20 years.
Elsewhere, rules regarding IoT are established within the context of current laws, such as the Children’s Online Privacy Protection Act in the US. Meanwhile, in the UK, the Office of the Information Commissioner recently provided guidance on wearable devices and stipulated there should be no data collected that breaches the Data Protection Act, but so far no specific recommendations or rules have been made that relate to child protection and the IoT.
For now, governments around the world appear to prefer a broad-based approach to privacy legislation, rather than IoT specific rules. However, this is a brave new world we are entering, and as the number of connected devices increases so too will the number of children being exposed to risks.